wip - add endpoint to accomodate crud actions for users

Author: montesmoci

UnityAuth/src/main/java/io/unityfoundation/auth/AuthController.java

@@ -4,23 +4,15 @@
 import io.micronaut.core.annotation.Nullable;
 import io.micronaut.http.HttpResponse;
 import io.micronaut.http.HttpStatus;
-import io.micronaut.http.annotation.Body;
-import io.micronaut.http.annotation.Controller;
-import io.micronaut.http.annotation.Post;
+import io.micronaut.http.annotation.*;
 import io.micronaut.http.exceptions.HttpStatusException;
 import io.micronaut.security.annotation.Secured;
 import io.micronaut.security.authentication.Authentication;
 import io.micronaut.security.rules.SecurityRule;
 import io.micronaut.serde.annotation.Serdeable;
+import io.unityfoundation.auth.entities.*;
 import io.unityfoundation.auth.entities.Permission.PermissionScope;
-import io.unityfoundation.auth.entities.Service;
 import io.unityfoundation.auth.entities.Service.ServiceStatus;
-import io.unityfoundation.auth.entities.ServiceRepo;
-import io.unityfoundation.auth.entities.Tenant;
-import io.unityfoundation.auth.entities.Tenant.TenantStatus;
-import io.unityfoundation.auth.entities.TenantRepo;
-import io.unityfoundation.auth.entities.User;
-import io.unityfoundation.auth.entities.UserRepo;
 import jakarta.validation.constraints.NotNull;
 import java.util.List;
 import java.util.Optional;
@@ -33,11 +25,13 @@ public class AuthController {
   private final UserRepo userRepo;
   private final ServiceRepo serviceRepo;
   private final TenantRepo tenantRepo;
+  private final RoleRepo roleRepo;
 
-  public AuthController(UserRepo userRepo, ServiceRepo serviceRepo, TenantRepo tenantRepo) {
+  public AuthController(UserRepo userRepo, ServiceRepo serviceRepo, TenantRepo tenantRepo, RoleRepo roleRepo) {
     this.userRepo = userRepo;
     this.serviceRepo = serviceRepo;
     this.tenantRepo = tenantRepo;
+      this.roleRepo = roleRepo;
   }
 
   @Post("/principal/permissions")
@@ -49,7 +43,7 @@ public UserPermissionsResponse permissions(@Body UserPermissionsRequest requestD
     }
     Tenant tenant = maybeTenant.get();
 
-    if (!tenant.getStatus().equals(TenantStatus.ENABLED)){
+    if (!tenant.getStatus().equals(Tenant.TenantStatus.ENABLED)){
       return new UserPermissionsResponse.Failure("The tenant is not enabled.");
     }
 
@@ -110,6 +104,40 @@ public HttpResponse<HasPermissionResponse> hasPermission(@Body HasPermissionRequ
     return createHasPermissionResponse(true, user.getEmail(), null, commonPermissions);
   }
 
+  @Get("/roles")
+  public HttpResponse<?> getRoles() {
+    return HttpResponse.ok(roleRepo.findAll());
+  }
+
+  @Get("/tenants")
+  public HttpResponse<?> getTenants(Authentication authentication) {
+
+    String authenticatedUserEmail = authentication.getName();
+
+    if(userRepo.existsByEmailAndRoleEqualsUnityAdmin(authenticatedUserEmail)) {
+      return HttpResponse.ok(tenantRepo.findAll());
+    }
+
+    return HttpResponse.ok(tenantRepo.findAllByUserEmail(authenticatedUserEmail));
+  }
+
+  @Get("/tenants/{id}/users")
+  public HttpResponse<List<UserResponse>> getTenantUsers(@PathVariable Long id, Authentication authentication) {
+
+    // reject if the declared tenant does not exist
+    if (tenantRepo.existsById(id)) {
+      return HttpResponse.badRequest();
+    }
+
+    // todo: it would be nice to capture the roles and have them automatically mapped to UserResponse.roles
+    List<UserResponse> tenantUsers = userRepo.findAllByTenantId(id).stream().map(user ->
+            new UserResponse(user.getId(), user.getEmail(), user.getFirstName(), user.getLastName(),
+                    userRepo.getUserRolesByUserId(user.getId())
+                    )).toList();
+
+    return HttpResponse.ok(tenantUsers);
+  }
+
   private boolean checkUserStatus(User user) {
     return user == null || user.getStatus() != User.UserStatus.ENABLED;
   }

UnityAuth/src/main/java/io/unityfoundation/auth/UserController.java

@@ -0,0 +1,106 @@
+package io.unityfoundation.auth;
+
+import io.micronaut.core.annotation.Nullable;
+import io.micronaut.http.HttpResponse;
+import io.micronaut.http.annotation.*;
+import io.micronaut.security.annotation.Secured;
+import io.micronaut.security.authentication.Authentication;
+import io.micronaut.security.rules.SecurityRule;
+import io.micronaut.serde.annotation.Serdeable;
+import io.unityfoundation.auth.entities.*;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotEmpty;
+import jakarta.validation.constraints.NotNull;
+
+import java.util.List;
+
+@Secured(SecurityRule.IS_AUTHENTICATED)
+@Controller("/api/users")
+public class UserController {
+
+    private final UserRepo userRepo;
+    private final TenantRepo tenantRepo;
+
+    public UserController(UserRepo userRepo, TenantRepo tenantRepo) {
+        this.userRepo = userRepo;
+        this.tenantRepo = tenantRepo;
+    }
+
+    @Post
+    public HttpResponse<?> createUser(@Body AddUserRequest requestDTO,
+                                                 Authentication authentication) {
+
+        Long requestTenantId = requestDTO.tenantId();
+
+        // reject if the declared tenant does not exist
+        if (tenantRepo.existsById(requestTenantId)) {
+            return HttpResponse.badRequest("Tenant does not exist");
+        }
+
+        // reject if caller is not a unity nor tenant admin of the declared tenant
+        if (!isUserUnityOrTenantAdmin(authentication.getName(), requestTenantId)) {
+            return HttpResponse.badRequest("Authenticated user is not authorized to make changes under declared tenant.");
+        }
+
+        // reject if new user already exists under a tenant
+        if (userRepo.existsByEmailAndTenantId(requestDTO.email(), requestTenantId)) {
+            return HttpResponse.badRequest("User already exists under declared tenant.");
+        }
+
+        // reject if the declared roles supersede that of the authenticated user if authenticated user is not a unity admin
+        // ie. first condition is applied assumes that authenticated user is a tenant admin of the declared tenant
+
+        // if the new user exists, create a new user-role entry
+        // otherwise, create the user along with user-role entry
+
+    }
+
+    @Patch("{id}/roles")
+    public HttpResponse<UserResponse> updateUserRoles(@PathVariable Long id, @Body UpdateUserRolesRequest requestDTO,
+                                                Authentication authentication) {
+        // get user under tenant
+        // if unity admin, proceed; otherwise, reject if roles exceed authenticated user's under same tenant.
+        // apply patch
+
+
+        // return updated user
+    }
+
+    @Patch("{id}")
+    public HttpResponse<UserResponse> selfPatch(@PathVariable Long id, @Body UpdateSelfRequest requestDTO,
+                                                Authentication authentication) {
+        // get user (and verify id?)
+        // perform patch
+
+        // return updated user
+    }
+
+    private boolean isUserUnityOrTenantAdmin(String email, Long requestTenantId) {
+        return false;
+    }
+
+    @Serdeable
+    public record UpdateUserRolesRequest(
+            @NotNull Long tenantId,
+            List<String> roles) {
+    }
+
+    @Serdeable
+    public record AddUserRequest(
+            @NotBlank String email,
+            @NotBlank String firstName,
+            @NotBlank String lastName,
+            @NotNull Long tenantId,
+            @NotBlank String password,
+            @NotEmpty List<String> roles) {
+    }
+
+    @Serdeable
+    public record UpdateSelfRequest(
+            @NotBlank String firstName,
+            @NotBlank String lastName,
+            @NotBlank String password) {
+    }
+
+
+}

UnityAuth/src/main/java/io/unityfoundation/auth/UserResponse.java

@@ -0,0 +1,15 @@
+package io.unityfoundation.auth;
+
+import io.micronaut.serde.annotation.Serdeable;
+import jakarta.validation.constraints.NotNull;
+
+import java.util.List;
+
+@Serdeable
+public record UserResponse(
+        Long id,
+        String email,
+        String firstName,
+        String lastName,
+        List<Long> roles) {
+}

UnityAuth/src/main/java/io/unityfoundation/auth/entities/Role.java

@@ -0,0 +1,15 @@
+package io.unityfoundation.auth.entities;
+
+import io.micronaut.data.annotation.GeneratedValue;
+import io.micronaut.data.annotation.Id;
+import io.micronaut.data.annotation.MappedEntity;
+
+@MappedEntity
+public class Role {
+    @Id
+    @GeneratedValue
+    private Long id;
+
+    private String name;
+    private String description;
+}

UnityAuth/src/main/java/io/unityfoundation/auth/entities/RoleRepo.java

@@ -0,0 +1,11 @@
+package io.unityfoundation.auth.entities;
+
+
+import io.micronaut.data.annotation.Query;
+import io.micronaut.data.jdbc.annotation.JdbcRepository;
+import io.micronaut.data.model.query.builder.sql.Dialect;
+import io.micronaut.data.repository.CrudRepository;
+
+@JdbcRepository(dialect = Dialect.MYSQL)
+public interface RoleRepo extends CrudRepository<Role, Long> {
+}

UnityAuth/src/main/java/io/unityfoundation/auth/entities/TenantRepo.java

@@ -1,10 +1,23 @@
 package io.unityfoundation.auth.entities;
 
 
+import io.micronaut.data.annotation.Query;
 import io.micronaut.data.jdbc.annotation.JdbcRepository;
 import io.micronaut.data.model.query.builder.sql.Dialect;
 import io.micronaut.data.repository.CrudRepository;
 
+import java.util.List;
+
 @JdbcRepository(dialect = Dialect.MYSQL)
 public interface TenantRepo extends CrudRepository<Tenant, Long> {
+
+    @Query("""
+SELECT t.*
+FROM user_role ur
+    INNER JOIN tenant t ON t.id = ur.tenant_id
+    INNER JOIN user u ON u.id = ur.user_id
+WHERE u.email = :email
+    
+""")
+    List<Tenant> findAllByUserEmail(String email);
 }

UnityAuth/src/main/java/io/unityfoundation/auth/entities/UserRepo.java

@@ -14,6 +14,15 @@ public interface UserRepo extends CrudRepository<User, Long> {
 
   Optional<User> findByEmail(String email);
 
+  @Query("""
+    SELECT count(*) > 0
+    FROM user_role ur
+      inner join user u on u.id = ur.user_id
+    WHERE u.email = :email
+      and ur.tenant_id = :tenantId;
+""")
+  boolean existsByEmailAndTenantId(String email, Long tenantId);
+
   @Query("""
       SELECT count(*) > 0
 FROM user_role ur
@@ -49,5 +58,30 @@ SELECT count(*) > 0
 """)
   List<TenantPermission> getTenantPermissionsFor(Long userId);
 
+  @Query("""
+    select u.*
+    from user_role ur inner join user u on u.id = ur.user_id
+    where ur.tenant_id = :tenantId""")
+  List<User> findAllByTenantId(Long tenantId);
+
+  @Query("""
+select count(*) > 0
+    from user_role ur
+    inner join user u on u.id = ur.user_id
+    inner join role r on r.id = ur.role_id
+    where u.email = :email and (r.name = 'Unity Administrator' or r.name = 'Tenant Administrator')
+""")
+  boolean existsByEmailAndRoleEqualsUnityAdminOrTenantAdmin(String email);
+
+  @Query("""
+select count(*) > 0
+    from user_role ur
+    inner join user u on u.id = ur.user_id
+    inner join role r on r.id = ur.role_id
+    where u.email = :email and r.name = 'Unity Administrator'
+""")
+  boolean existsByEmailAndRoleEqualsUnityAdmin(String email);
 
+  @Query("select role_id from user_role where user_id = :userId")
+  List<Long> getUserRolesByUserId(Long userId);
 }